Machine fake rebooting
Tyler Aviss
tjaviss-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Mon Mar 1 18:42:29 UTC 2010
If it's anything other than "shutdown -k", shouldn't it be showing in syslog.
Other than the fact it drops my SSH session (which I can reconnect to
right away anyhow), I see no other symptoms that it actually attempted
a real shutdown. But again, nobody else should even have access to do
the shutdown -k, and that shouldn't be able to drop the SSH session.
No UPS daemon running
No watchdogs that I know of unless there's something that asterisk is
trying to pull off on me.
chkrootkit shows up nil, and rkhunter didn't find anything noteworthy,
but this is on the running box. I'm going to have to attach a
USB-CDROM to it and run those again from a known safe source.
- TJA
On Mon, Mar 1, 2010 at 10:22 AM, Robert Brockway
<robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org> wrote:
> On Mon, 1 Mar 2010, Tyler Aviss wrote:
>
>> I've since changed my own password and turned on molly-guard just in
>> case. Is there perhaps something that can be misinterpreted as a
>> reboot or some weird hot-key that will do it?
>
> In general it's considered a bad idea to auto-reboot servers since they may
> fail to come up and no sysadmin is necessarily present to deal with the
> issue.
>
> There are a couple of processes which can be allowed to reboot a box though:
>
> (1) UPS daemon software. Normally they halt rather than reboot and they
> clearly report themselves when doing it.
>
> (2) A watchdog process. A watchdog should really be pushing the big red
> button rather than doing an orderly shutdown[1]. Software watchdogs can
> fail to reboot a box in some circumstances but even they can call
> HARD_RESET_NOW() and avoid doing an orderly shutdown.
>
> Do run rkhunder and/or chkrootkit on the box, just in case.
>
> [1] If the box is able to do an orderly shutdown how sick could it be? If
> the orderly shutdown fails the watchdog was useless.
>
> Rob
>
> --
> Email: robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
> IRC: Solver
> Web: http://www.practicalsysadmin.com
> I tried to change the world but they had a no-return policy
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list